2 // $Id: filter.module 144 2007-03-28 07:52:20Z thierry $
6 * Framework for handling filtering of content.
9 // This is a special format ID which means "use the default format". This value
10 // can be passed to the filter APIs as a format ID: this is equivalent to not
11 // passing an explicit format at all.
12 define('FILTER_FORMAT_DEFAULT', 0);
14 define('FILTER_HTML_STRIP', 1);
15 define('FILTER_HTML_ESCAPE', 2);
18 * Implementation of hook_help().
20 function filter_help($section) {
22 case 'admin/help#filter':
23 $output = '<p>'. t('The filter module allows administrators to configure text input formats for the site. For example, an administrator may want a filter to strip out malicious HTML from user\'s comments. Administrators may also want to make URLs linkable even if they are only entered in an unlinked format.') .'</p>';
24 $output .= '<p>'. t('Users can choose between the available input formats when creating or editing content. Administrators can configure which input formats are available to which user roles, as well as choose a default input format. Administrators can also create new input formats. Each input format can be configured to use a selection of filters.') .'</p>';
25 $output .= t('<p>You can</p>
27 <li>administer input format permissions and settings at <a href="%admin-filters">administer >> input formats</a>.</li>
28 <li>configure the filters for each input format at <a href="%admin-filters">administer >> input formats >> configure</a>.</li>
30 ', array('%admin-filters' => url('admin/filters')));
31 $output .= '<p>'. t('For more information please read the configuration and customization handbook <a href="%filter">Filter page</a>.', array('%filter' => 'http://drupal.org/handbook/modules/filter/')) .'</p>';
33 case 'admin/modules#description':
34 return t('Handles the filtering of content in preparation for display.');
38 <p><em>Input formats</em> define a way of processing user-supplied text in Drupal. Every input format has its own settings of which <em>filters</em> to apply. Possible filters include stripping out malicious HTML and making URLs clickable.</p>
39 <p>Users can choose between the available input formats when submitting content.</p>
40 <p>Below you can configure which input formats are available to which roles, as well as choose a default input format (used for imported content, for example).</p>
41 <p>Note that (1) the default format is always available to all roles, and (2) all filter formats can always be used by roles with the "administer filters" permission even if they are not explicitly listed in the Roles column of this table.</p>');
43 case 'admin/filters/'. arg(2):
45 <p>Every <em>filter</em> performs one particular change on the user input, for example stripping out malicious HTML or making URLs clickable. Choose which filters you want to apply to text in this input format.</p>
46 <p>If you notice some filters are causing conflicts in the output, you can <a href="%rearrange">rearrange them</a>.</p>', array('%rearrange' => url('admin/filters/'. arg(2) .'/order')));
48 case 'admin/filters/'. arg(2) .'/configure':
50 <p>If you cannot find the settings for a certain filter, make sure you\'ve enabled it on the <a href="%url">view tab</a> first.</p>', array('%url' => url('admin/filters/'. arg(2))));
52 case 'admin/filters/'. arg(2) .'/order':
54 <p>Because of the flexible filtering system, you might encounter a situation where one filter prevents another from doing its job. For example: a word in an URL gets converted into a glossary term, before the URL can be converted in a clickable link. When this happens, you will need to rearrange the order in which filters get executed.</p>
55 <p>Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters \'sink\' to the bottom.</p>');
60 * Implementation of hook_menu().
62 function filter_menu($may_cache) {
66 $items[] = array('path' => 'admin/filters',
67 'title' => t('input formats'),
68 'callback' => 'filter_admin_overview',
69 'access' => user_access('administer filters'),
71 $items[] = array('path' => 'admin/filters/list',
73 'callback' => 'filter_admin_overview',
74 'type' => MENU_DEFAULT_LOCAL_TASK,
75 'access' => user_access('administer filters'),
77 $items[] = array('path' => 'admin/filters/add',
78 'title' => t('add input format'),
79 'callback' => 'filter_admin_format_form',
80 'type' => MENU_LOCAL_TASK,
82 'access' => user_access('administer filters'),
84 $items[] = array('path' => 'admin/filters/delete',
85 'title' => t('delete input format'),
86 'callback' => 'filter_admin_delete',
87 'type' => MENU_CALLBACK,
88 'access' => user_access('administer filters'),
90 $items[] = array('path' => 'filter/tips',
91 'title' => t('compose tips'),
92 'callback' => 'filter_tips_long',
94 'type' => MENU_SUGGESTED_ITEM,
98 if (arg(0) == 'admin' && arg(1) == 'filters' && is_numeric(arg(2))) {
99 $formats = filter_formats();
101 if (isset($formats[arg(2)])) {
102 $items[] = array('path' => 'admin/filters/'. arg(2),
103 'title' => t("'%format' input format", array('%format' => $formats[arg(2)]->name)),
104 'callback' => 'filter_admin_format_form',
105 'callback arguments' => array('format' => $formats[arg(2)]),
106 'type' => MENU_CALLBACK,
107 'access' => user_access('administer filters'),
109 $items[] = array('path' => 'admin/filters/'. arg(2) .'/list',
110 'title' => t('view'),
111 'callback' => 'filter_admin_format_form',
112 'callback arguments' => array('format' => $formats[arg(2)]),
113 'type' => MENU_DEFAULT_LOCAL_TASK,
115 'access' => user_access('administer filters'),
117 $items[] = array('path' => 'admin/filters/'. arg(2) .'/configure',
118 'title' => t('configure'),
119 'callback' => 'filter_admin_configure',
120 'type' => MENU_LOCAL_TASK,
122 'access' => user_access('administer filters'),
124 $items[] = array('path' => 'admin/filters/'. arg(2) .'/order',
125 'title' => t('rearrange'),
126 'callback' => 'filter_admin_order',
127 'callback arguments' => array('format' => $formats[arg(2)]),
128 'type' => MENU_LOCAL_TASK,
130 'access' => user_access('administer filters'),
140 * Implementation of hook_perm().
142 function filter_perm() {
143 return array('administer filters');
147 * Implementation of hook_filter_tips().
149 function filter_filter_tips($delta, $format, $long = false) {
153 if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) {
154 if ($allowed_html = variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')) {
157 return t('Allowed HTML tags') .': '. check_plain($allowed_html);
159 $output = '<p>'. t('Allowed HTML tags') .': '. check_plain($allowed_html) .'</p>';
160 if (!variable_get("filter_html_help_$format", 1)) {
165 <p>This site allows HTML content. While learning all of HTML may feel intimidating, learning how to use a very small number of the most basic HTML "tags" is very easy. This table provides examples for each tag that is enabled on this site.</p>
166 <p>For more information see W3C\'s <a href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your favorite search engine to find other sites that explain HTML.</p>');
168 'a' => array( t('Anchors are used to make links to other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name', 'drupal') .'</a>'),
169 'br' => array( t('By default line break tags are automatically added, so use this tag to add additional ones. Use of this tag is different because it is not used with an open/close pair like all the others. Use the extra " /" inside the tag to maintain XHTML 1.0 compatibility'), t('Text with <br />line break')),
170 'p' => array( t('By default paragraph tags are automatically added, so use this tag to add additional ones.'), '<p>'. t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
171 'strong' => array( t('Strong'), '<strong>'. t('Strong'). '</strong>'),
172 'em' => array( t('Emphasized'), '<em>'. t('Emphasized') .'</em>'),
173 'cite' => array( t('Cited'), '<cite>'. t('Cited') .'</cite>'),
174 'code' => array( t('Coded text used to show programming source code'), '<code>'. t('Coded') .'</code>'),
175 'b' => array( t('Bolded'), '<b>'. t('Bolded') .'</b>'),
176 'u' => array( t('Underlined'), '<u>'. t('Underlined') .'</u>'),
177 'i' => array( t('Italicized'), '<i>'. t('Italicized') .'</i>'),
178 'sup' => array( t('Superscripted'), t('<sup>Super</sup>scripted')),
179 'sub' => array( t('Subscripted'), t('<sub>Sub</sub>scripted')),
180 'pre' => array( t('Preformatted'), '<pre>'. t('Preformatted') .'</pre>'),
181 'abbr' => array( t('Abbreviation'), t('<abbr title="Abbreviation">Abbrev.</abbr>')),
182 'acronym' => array( t('Acronym'), t('<acronym title="Three-Letter Acronym">TLA</acronym>')),
183 'blockquote' => array( t('Block quoted'), '<blockquote>'. t('Block quoted') .'</blockquote>'),
184 'q' => array( t('Quoted inline'), '<q>'. t('Quoted inline') .'</q>'),
185 // Assumes and describes tr, td, th.
186 'table' => array( t('Table'), '<table> <tr><th>'. t('Table header') .'</th></tr> <tr><td>'. t('Table cell') .'</td></tr> </table>'),
187 'tr' => NULL, 'td' => NULL, 'th' => NULL,
188 'del' => array( t('Deleted'), '<del>'. t('Deleted') .'</del>'),
189 'ins' => array( t('Inserted'), '<ins>'. t('Inserted') .'</ins>'),
190 // Assumes and describes li.
191 'ol' => array( t('Ordered list - use the <li> to begin each list item'), '<ol> <li>'. t('First item') .'</li> <li>'. t('Second item') .'</li> </ol>'),
192 'ul' => array( t('Unordered list - use the <li> to begin each list item'), '<ul> <li>'. t('First item') .'</li> <li>'. t('Second item') .'</li> </ul>'),
194 // Assumes and describes dt and dd.
195 'dl' => array( t('Definition lists are similar to other HTML lists. <dl> begins the definition list, <dt> begins the definition term and <dd> begins the definition description.'), '<dl> <dt>'. t('First term') .'</dt> <dd>'. t('First definition') .'</dd> <dt>'. t('Second term') .'</dt> <dd>'. t('Second definition') .'</dd> </dl>'),
196 'dt' => NULL, 'dd' => NULL,
197 'h1' => array( t('Header'), '<h1>'. t('Title') .'</h1>'),
198 'h2' => array( t('Header'), '<h2>'. t('Subtitle') .'</h2>'),
199 'h3' => array( t('Header'), '<h3>'. t('Subtitle three') .'</h3>'),
200 'h4' => array( t('Header'), '<h4>'. t('Subtitle four') .'</h4>'),
201 'h5' => array( t('Header'), '<h5>'. t('Subtitle five') .'</h5>'),
202 'h6' => array( t('Header'), '<h6>'. t('Subtitle six') .'</h6>')
204 $header = array(t('Tag Description'), t('You Type'), t('You Get'));
205 preg_match_all('/<([a-z0-9]+)[^a-z0-9]/i', $allowed_html, $out);
206 foreach ($out[1] as $tag) {
207 if (array_key_exists($tag, $tips)) {
210 array('data' => $tips[$tag][0], 'class' => 'description'),
211 array('data' => '<code>'. check_plain($tips[$tag][1]) .'</code>', 'class' => 'type'),
212 array('data' => $tips[$tag][1], 'class' => 'get')
218 array('data' => t('No help provided for tag %tag.', array('%tag' => check_plain($tag))), 'class' => 'description', 'colspan' => 3),
222 $output .= theme('table', $header, $rows);
225 <p>Most unusual characters can be directly entered without any problems.</p>
226 <p>If you do encounter problems, try using HTML character entities. A common example looks like &amp; for an ampersand & character. For a full list of entities see HTML\'s <a href="http://www.w3.org/TR/html4/sgml/entities.html">entities</a> page. Some of the available characters include:</p>');
228 array( t('Ampersand'), '&'),
229 array( t('Greater than'), '>'),
230 array( t('Less than'), '<'),
231 array( t('Quotation mark'), '"'),
233 $header = array(t('Character Description'), t('You Type'), t('You Get'));
235 foreach ($entities as $entity) {
237 array('data' => $entity[0], 'class' => 'description'),
238 array('data' => '<code>'. check_plain($entity[1]) .'</code>', 'class' => 'type'),
239 array('data' => $entity[1], 'class' => 'get')
242 $output .= theme('table', $header, $rows);
247 return t('No HTML tags allowed');
255 return t('You may post PHP code. You should include <?php ?> tags.');
258 <h4>Using custom PHP code</h4>
259 <p>If you know how to script in PHP, Drupal gives you the power to embed any script you like. It will be executed when the page is viewed and dynamically embedded into the page. This gives you amazing flexibility and power, but of course with that comes danger and insecurity if you don\'t write good code. If you are not familiar with PHP, SQL or with the site engine, avoid experimenting with PHP because you can corrupt your database or render your site insecure or even unusable! If you don\'t plan to do fancy stuff with your content then you\'re probably better off with straight HTML.</p>
260 <p>Remember that the code within each PHP item must be valid PHP code - including things like correctly terminating statements with a semicolon. It is highly recommended that you develop your code separately using a simple test script on top of a test database before migrating to your production environment.</p>
261 <p>Notes:</p><ul><li>You can use global variables, such as configuration parameters, within the scope of your PHP code but remember that global variables which have been given values in your code will retain these values in the engine afterwards.</li><li>register_globals is now set to <strong>off</strong> by default. If you need form information you need to get it from the "superglobals" $_POST, $_GET, etc.</li><li>You can either use the <code>print</code> or <code>return</code> statement to output the actual content for your item.</li></ul>
262 <p>A basic example:</p>
263 <blockquote><p>You want to have a box with the title "Welcome" that you use to greet your visitors. The content for this box could be created by going:</p>
265 print t("Welcome visitor, ... welcome message goes here ...");
267 <p>If we are however dealing with a registered user, we can customize the message by using:</p>
271 print t("Welcome $user->name, ... welcome message goes here ...");
274 print t("Welcome visitor, ... welcome message goes here ...");
277 <p>For more in-depth examples, we recommend that you check the existing Drupal code and use it as a starting point, especially for sidebar boxes.</p>');
283 return t('Lines and paragraphs break automatically.');
285 return t('Lines and paragraphs are automatically recognized. The <br /> line break, <p> paragraph and </p> close paragraph tags are inserted automatically. If paragraphs are not recognized simply add a couple blank lines.');
291 * Displays a list of all input formats and which one is the default
293 function filter_admin_overview() {
295 // Overview of all formats.
296 $formats = filter_formats();
300 foreach ($formats as $id => $format) {
302 foreach (user_roles() as $rid => $name) {
303 // Prepare a roles array with roles that may access the filter
304 if (strstr($format->roles, ",$rid,")) {
309 $default = ($id == variable_get('filter_default_format', 1));
311 $form[$format->name]['id'] = array('#value' => $id);
312 $form[$format->name]['roles'] = array('#value' => $default ? t('All roles may use default format') : ($roles ? implode(', ',$roles) : t('No roles may use this format')));
313 $form[$format->name]['configure'] = array('#value' => l(t('configure'), 'admin/filters/'. $id));
314 $form[$format->name]['delete'] = array('#value' => $default ? '' : l(t('delete'), 'admin/filters/delete/'. $id));
316 $form['default'] = array('#type' => 'radios', '#options' => $options, '#default_value' => variable_get('filter_default_format', 1));
317 $form['submit'] = array('#type' => 'submit', '#value' => t('Set default format'));
318 return drupal_get_form('filter_admin_overview', $form);
321 function filter_admin_overview_submit($form_id, $form_values) {
322 // Process form submission to set the default format
323 if (is_numeric($form_values['default'])) {
324 drupal_set_message(t('Default format updated.'));
325 variable_set('filter_default_format', $form_values['default']);
329 function theme_filter_admin_overview($form) {
330 foreach ($form as $name => $element) {
331 if (isset($element['roles']) && is_array($element['roles'])) {
333 form_render($form['default'][$element['id']['#value']]),
335 form_render($element['roles']),
336 form_render($element['configure']),
337 form_render($element['delete'])
342 $header = array(t('Default'), t('Name'), t('Roles'), array('data' => t('Operations'), 'colspan' => 2));
343 $output = theme('table', $header, $rows);
344 $output .= form_render($form);
350 * Menu callback; confirm deletion of a format.
352 function filter_admin_delete() {
354 $format = db_fetch_object(db_query('SELECT * FROM {filter_formats} WHERE format = %d', $format));
357 if ($format->format != variable_get('filter_default_format', 1)) {
358 $form['format'] = array('#type' => 'hidden', '#value' => $format->format);
359 $form['name'] = array('#type' => 'hidden', '#value' => $format->name);
361 return confirm_form('filter_admin_delete', $form, t('Are you sure you want to delete the input format %format?', array('%format' => theme('placeholder', $format->name))), 'admin/filters', t('If you have any content left in this input format, it will be switched to the default input format. This action cannot be undone.'), t('Delete'), t('Cancel'));
364 drupal_set_message(t('The default format cannot be deleted.'));
365 drupal_goto('admin/filters');
374 * Process filter delete form submission.
376 function filter_admin_delete_submit($form_id, $form_values) {
377 db_query("DELETE FROM {filter_formats} WHERE format = %d", $form_values['format']);
378 db_query("DELETE FROM {filters} WHERE format = %d", $form_values['format']);
380 $default = variable_get('filter_default_format', 1);
381 // Replace existing instances of the deleted format with the default format.
382 db_query("UPDATE {node_revisions} SET format = %d WHERE format = %d", $default, $form_values['format']);
383 db_query("UPDATE {comments} SET format = %d WHERE format = %d", $default, $form_values['format']);
384 db_query("UPDATE {boxes} SET format = %d WHERE format = %d", $default, $form_values['format']);
386 cache_clear_all('filter:'. $form_values['format'], true);
387 drupal_set_message(t('Deleted input format %format.', array('%format' => theme('placeholder', $form_values['name']))));
389 return 'admin/filters';
393 * Generate a filter format form.
395 function filter_admin_format_form($format = NULL) {
396 $default = ($format->format == variable_get('filter_default_format', 1));
398 $help = t('All roles for the default format must be enabled and cannot be changed.');
399 $form['default_format'] = array('#type' => 'hidden', '#value' => 1);
402 $form['name'] = array('#type' => 'textfield',
404 '#default_value' => $format->name,
405 '#description' => t('Specify a unique name for this filter format.'),
409 // Add a row of checkboxes for form group.
410 $form['roles'] = array('#type' => 'fieldset',
411 '#title' => t('Roles'),
412 '#description' => $default ? $help : t('Choose which roles may use this filter format. Note that roles with the "administer filters" permission can always use all the filter formats.'),
416 foreach (user_roles() as $rid => $name) {
417 $checked = strstr($format->roles, ",$rid,");
418 $form['roles'][$rid] = array('#type' => 'checkbox',
420 '#default_value' => ($default || $checked),
423 $form['roles'][$rid]['#attributes'] = array('disabled' => 'disabled');
426 // Table with filters
427 $all = filter_list_all();
428 $enabled = filter_list_format($format->format);
430 $form['filters'] = array('#type' => 'fieldset',
431 '#title' => t('Filters'),
432 '#description' => t('Choose the filters that will be used in this filter format.'),
435 foreach ($all as $id => $filter) {
436 $form['filters'][$id] = array('#type' => 'checkbox',
437 '#title' => $filter->name,
438 '#default_value' => isset($enabled[$id]),
439 '#description' => module_invoke($filter->module, 'filter', 'description', $filter->delta),
442 $form['submit'] = array('#type' => 'submit', '#value' => t('Save configuration'));
444 if (isset($format)) {
445 $form['format'] = array('#type' => 'hidden', '#value' => $format->format);
447 // Composition tips (guidelines)
448 $tips = _filter_tips($format->format, false);
449 $extra = l(t('More information about formatting options'), 'filter/tips');
450 $tiplist = theme('filter_tips', $tips, false, $extra);
452 $tiplist = t('<p>No guidelines available.</p>');
454 $group = t('<p>These are the guidelines that users will see for posting in this input format. They are automatically generated from the filter settings.</p>');
456 $output = '<h2>'. t('Formatting guidelines') .'</h2>'. $group;
458 $output = drupal_get_form('filter_admin_format_form', $form) . $output;
464 * Validate filter format form submissions.
466 function filter_admin_format_form_validate($form_id, $form_values) {
467 if (!isset($form_values['format'])) {
468 $name = trim($form_values['name']);
469 $result = db_fetch_object(db_query("SELECT format FROM {filter_formats} WHERE name='%s'", $name));
471 form_set_error('name', t('Filter format names need to be unique. A format named %name already exists.', array('%name' => theme('placeholder', $name))));
477 * Process filter format form submissions.
479 function filter_admin_format_form_submit($form_id, $form_values) {
480 $format = isset($form_values['format']) ? $form_values['format'] : NULL;
481 $current = filter_list_format($format);
482 $name = trim($form_values['name']);
485 // Add a new filter format.
488 db_query("INSERT INTO {filter_formats} (name) VALUES ('%s')", $name);
489 $result = db_fetch_object(db_query("SELECT MAX(format) AS format FROM {filter_formats}"));
490 $format = $result->format;
491 drupal_set_message(t('Added input format %format.', array('%format' => theme('placeholder', $name))));
494 drupal_set_message(t('The input format settings have been updated.'));
497 db_query("DELETE FROM {filters} WHERE format = %d", $format);
498 foreach ($form_values['filters'] as $id => $checked) {
500 list($module, $delta) = explode('/', $id);
501 // Add new filters to the bottom.
502 $weight = isset($current[$id]->weight) ? $current[$id]->weight : 10;
503 db_query("INSERT INTO {filters} (format, module, delta, weight) VALUES (%d, '%s', %d, %d)", $format, $module, $delta, $weight);
505 // Check if there are any 'no cache' filters.
506 $cache &= !module_invoke($module, 'filter', 'no cache', $delta);
510 // We store the roles as a string for ease of use.
511 // We should always set all roles to true when saving a default role.
512 // We use leading and trailing comma's to allow easy substring matching.
514 if (isset($form_values['roles'])) {
515 foreach ($form_values['roles'] as $id => $checked) {
521 $roles = ','. implode(',', ($form_values['default_format'] ? user_roles() : $roles)) .',';
523 db_query("UPDATE {filter_formats} SET cache = %d, name='%s', roles = '%s' WHERE format = %d", $cache, $name, $roles, $format);
525 cache_clear_all('filter:'. $format, true);
527 // If a new filter was added, return to the main list of filters. Otherwise, stay on edit filter page to show new changes.
529 return 'admin/filters/';
532 return 'admin/filters/'. $format;
537 * Menu callback; display form for ordering filters for a format.
539 function filter_admin_order($format = NULL) {
540 // Get list (with forced refresh)
541 $filters = filter_list_format($format->format);
543 $form['weights'] = array('#tree' => TRUE);
544 foreach ($filters as $id => $filter) {
545 $form['names'][$id] = array('#value' => $filter->name);
546 $form['weights'][$id] = array('#type' => 'weight', '#default_value' => $filter->weight);
548 $form['format'] = array('#type' => 'hidden', '#value' => $format->format);
549 $form['submit'] = array('#type' => 'submit', '#value' => t('Save configuration'));
551 return drupal_get_form('filter_admin_order', $form);
555 * Theme filter order configuration form.
557 function theme_filter_admin_order($form) {
558 $header = array(t('Name'), t('Weight'));
560 foreach (element_children($form['names']) as $id) {
561 // Don't take form control structures
562 if (is_array($form['names'][$id])) {
563 $rows[] = array(form_render($form['names'][$id]), form_render($form['weights'][$id]));
567 $output = theme('table', $header, $rows);
568 $output .= form_render($form);
574 * Process filter order configuration form submission.
576 function filter_admin_order_submit($form_id, $form_values) {
577 foreach ($form_values['weights'] as $id => $weight) {
578 list($module, $delta) = explode('/', $id);
579 db_query("UPDATE {filters} SET weight = %d WHERE format = %d AND module = '%s' AND delta = %d", $weight, $form_values['format'], $module, $delta);
581 drupal_set_message(t('The filter ordering has been saved.'));
583 cache_clear_all('filter:'. $form_values['format'], true);
587 * Menu callback; display settings defined by filters.
589 function filter_admin_configure() {
592 $list = filter_list_format($format);
594 foreach ($list as $filter) {
595 $form_module = module_invoke($filter->module, 'filter', 'settings', $filter->delta, $format);
596 if (isset($form_module) && is_array($form_module)) {
597 $form = array_merge($form, $form_module);
602 $output = system_settings_form('filter_admin_configure', $form);
605 $output = t('No settings are available.');
612 * Retrieve a list of input formats.
614 function filter_formats() {
618 // Administrators can always use all input formats.
619 $all = user_access('administer filters');
621 if (!isset($formats)) {
624 $query = 'SELECT * FROM {filter_formats}';
626 // Build query for selecting the format(s) based on the user's roles.
629 foreach ($user->roles as $rid => $role) {
630 $where[] = "roles LIKE '%%,%d,%%'";
633 $query .= ' WHERE '. implode(' OR ', $where) . ' OR format = %d';
634 $args[] = variable_get('filter_default_format', 1);
637 $result = db_query($query, $args);
638 while ($format = db_fetch_object($result)) {
639 $formats[$format->format] = $format;
646 * Build a list of all filters.
648 function filter_list_all() {
651 foreach (module_list() as $module) {
652 $list = module_invoke($module, 'filter', 'list');
653 if (isset($list) && is_array($list)) {
654 foreach ($list as $delta => $name) {
655 $filters[$module .'/'. $delta] = (object)array('module' => $module, 'delta' => $delta, 'name' => $name);
660 uasort($filters, '_filter_list_cmp');
666 * Helper function for sorting the filter list by filter name.
668 function _filter_list_cmp($a, $b) {
669 return strcmp($a->name, $b->name);
673 * Resolve a format id, including the default format.
675 function filter_resolve_format($format) {
676 return $format == FILTER_FORMAT_DEFAULT ? variable_get('filter_default_format', 1) : $format;
679 * Check if text in a certain input format is allowed to be cached.
681 function filter_format_allowcache($format) {
682 static $cache = array();
683 $format = filter_resolve_format($format);
684 if (!isset($cache[$format])) {
685 $cache[$format] = db_result(db_query('SELECT cache FROM {filter_formats} WHERE format = %d', $format));
687 return $cache[$format];
691 * Retrieve a list of filters for a certain format.
693 function filter_list_format($format) {
694 static $filters = array();
696 if (!isset($filters[$format])) {
697 $filters[$format] = array();
698 $result = db_query("SELECT * FROM {filters} WHERE format = %d ORDER BY weight ASC", $format);
699 while ($filter = db_fetch_object($result)) {
700 $list = module_invoke($filter->module, 'filter', 'list');
701 if (isset($list) && is_array($list) && isset($list[$filter->delta])) {
702 $filter->name = $list[$filter->delta];
703 $filters[$format][$filter->module .'/'. $filter->delta] = $filter;
708 return $filters[$format];
712 * @name Filtering functions
714 * Modules which need to have content filtered can use these functions to
715 * interact with the filter system.
717 * For more info, see the hook_filter() documentation.
719 * Note: because filters can inject JavaScript or execute PHP code, security is
720 * vital here. When a user supplies a $format, you should validate it with
721 * filter_access($format) before accepting/using it. This is normally done in
722 * the validation stage of the node system. You should for example never make a
723 * preview of content in a disallowed format.
727 * Run all the enabled filters on a piece of text.
730 * The text to be filtered.
732 * The format of the text to be filtered. Specify FILTER_FORMAT_DEFAULT for
733 * the default format.
735 * Whether to check the $format with filter_access() first. Defaults to TRUE.
736 * Note that this will check the permissions of the current user, so you
737 * should specify $check = FALSE when viewing other people's content. When
738 * showing content that is not (yet) stored in the database (eg. upon preview),
739 * set to TRUE so the user's permissions are checked.
741 function check_markup($text, $format = FILTER_FORMAT_DEFAULT, $check = TRUE) {
742 // When $check = true, do an access check on $format.
743 if (isset($text) && (!$check || filter_access($format))) {
744 $format = filter_resolve_format($format);
746 // Check for a cached version of this piece of text.
747 $id = 'filter:'. $format .':'. md5($text);
748 if ($cached = cache_get($id)) {
749 return $cached->data;
752 // See if caching is allowed for this format.
753 $cache = filter_format_allowcache($format);
755 // Convert all Windows and Mac newlines to a single newline,
756 // so filters only need to deal with one possibility.
757 $text = str_replace(array("\r\n", "\r"), "\n", $text);
759 // Get a complete list of filters, ordered properly.
760 $filters = filter_list_format($format);
762 // Give filters the chance to escape HTML-like data such as code or formulas.
763 foreach ($filters as $filter) {
764 $text = module_invoke($filter->module, 'filter', 'prepare', $filter->delta, $format, $text);
767 // Perform filtering.
768 foreach ($filters as $filter) {
769 $text = module_invoke($filter->module, 'filter', 'process', $filter->delta, $format, $text);
772 // Store in cache with a minimum expiration time of 1 day.
774 cache_set($id, $text, time() + (60 * 60 * 24));
778 $text = message_na();
785 * Generate a selector for choosing a format in a form.
788 * The ID of the format that is currently selected.
790 * The weight of the input format.
792 * Required when defining multiple input formats on a single node or having a different parent than 'format'.
794 * HTML for the form element.
796 function filter_form($value = FILTER_FORMAT_DEFAULT, $weight = NULL, $parents = array('format')) {
797 $value = filter_resolve_format($value);
798 $formats = filter_formats();
800 $extra = l(t('More information about formatting options'), 'filter/tips');
802 if (count($formats) > 1) {
804 '#type' => 'fieldset',
805 '#title' => t('Input format'),
806 '#collapsible' => TRUE,
807 '#collapsed' => TRUE,
808 '#weight' => $weight,
809 '#validate' => array('filter_form_validate' => array()),
811 // Multiple formats available: display radio buttons with tips.
812 foreach ($formats as $format) {
813 $form[$format->format] = array(
815 '#title' => $format->name,
816 '#default_value' => $value,
817 '#return_value' => $format->format,
818 '#parents' => $parents,
819 '#description' => theme('filter_tips', _filter_tips($format->format, false)),
824 // Only one format available: use a hidden form item and only show tips.
825 $format = array_shift($formats);
826 $form[$format->format] = array('#type' => 'value', '#value' => $format->format, '#parents' => $parents);
827 $tips = _filter_tips(variable_get('filter_default_format', 1), false);
828 $form['format']['guidelines'] = array(
829 '#title' => t('Formatting guidelines'),
830 '#value' => theme('filter_tips', $tips, false, $extra),
840 function filter_form_validate($form) {
841 foreach (element_children($form) as $key) {
842 if ($form[$key]['#value'] == $form[$key]['#return_value']) {
846 form_error($form, t('An illegal choice has been detected. Please contact the site administrator.'));
847 watchdog('form', t('Illegal choice %choice in %name element.', array('%choice' => theme('placeholder', check_plain($v)), '%name' => theme('placeholder', empty($form['#title']) ? $form['#parents'][0] : $form['#title']))), WATCHDOG_ERROR);
851 * Returns true if the user is allowed to access this format.
853 function filter_access($format) {
854 $format = filter_resolve_format($format);
855 if (user_access('administer filters') || ($format == variable_get('filter_default_format', 1))) {
859 $formats = filter_formats();
860 return isset($formats[$format]);
864 * @} End of "Filtering functions".
868 * Menu callback; show a page with long filter tips.
870 function filter_tips_long() {
873 $output = theme('filter_tips', _filter_tips($format, true), true);
876 $output = theme('filter_tips', _filter_tips(-1, true), true);
882 * Helper function for fetching filter tips.
884 function _filter_tips($format, $long = false) {
886 $formats = filter_formats();
889 $formats = array(db_fetch_object(db_query("SELECT * FROM {filter_formats} WHERE format = %d", $format)));
894 foreach ($formats as $format) {
895 $filters = filter_list_format($format->format);
897 $tips[$format->name] = array();
898 foreach ($filters as $id => $filter) {
899 if ($tip = module_invoke($filter->module, 'filter_tips', $filter->delta, $format->format, $long)) {
900 $tips[$format->name][] = array('tip' => $tip, 'id' => $id);
909 * Format a set of filter tips.
913 function theme_filter_tips($tips, $long = false, $extra = '') {
916 $multiple = count($tips) > 1;
918 $output = t('input formats') .':';
925 foreach ($tips as $name => $tiplist) {
928 $output .= '<strong>'. $name .'</strong>:<br />';
932 foreach ($tiplist as $tip) {
933 $tips .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] . '</li>';
937 $output .= "<ul class=\"tips\">$tips</ul>";
953 * @name Standard filters
955 * Filters implemented by the filter.module.
959 * Implementation of hook_filter(). Contains a basic set of essential filters.
961 * Validates user-supplied HTML, transforming it as necessary.
964 * - Line break converter:
965 * Converts newlines into paragraph and break tags.
967 function filter_filter($op, $delta = 0, $format = -1, $text = '') {
970 return array(0 => t('HTML filter'), 1 => t('PHP evaluator'), 2 => t('Line break converter'));
973 return $delta == 1; // No caching for the PHP evaluator.
978 return t('Allows you to restrict if users can post HTML and which tags to filter out.');
980 return t('Runs a piece of PHP code. The usage of this filter should be restricted to administrators only!');
982 return t('Converts line breaks into HTML (i.e. <br> and <p> tags).');
990 return _filter_html($text, $format);
992 return drupal_eval($text);
994 return _filter_autop($text);
1002 return _filter_html_settings($format);
1013 * Settings for the HTML filter.
1015 function _filter_html_settings($format) {
1016 $form['filter_html'] = array('#type' => 'fieldset', '#title' => t('HTML filter'), '#collapsible' => TRUE, '#collapsed' => TRUE);
1017 $form['filter_html']["filter_html_$format"] = array('#type' => 'radios', '#title' => t('Filter HTML tags'), '#default_value' => variable_get("filter_html_$format", FILTER_HTML_STRIP), '#options' => array(FILTER_HTML_STRIP => t('Strip disallowed tags'), FILTER_HTML_ESCAPE => t('Escape all tags')), '#description' => t('How to deal with HTML tags in user-contributed content. If set to "Strip disallowed tags", dangerous tags are removed (see below). If set to "Escape tags", all HTML is escaped and presented as it was typed.'));
1018 $form['filter_html']["allowed_html_$format"] = array('#type' => 'textfield', '#title' => t('Allowed HTML tags'), '#default_value' => variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), '#size' => 64, '#maxlength' => 255, '#description' => t('If "Strip disallowed tags" is selected, optionally specify tags which should not be stripped. JavaScript event attributes are always stripped.'));
1019 $form['filter_html']["filter_html_help_$format"] = array('#type' => 'checkbox', '#title' => t('Display HTML help'), '#default_value' => variable_get("filter_html_help_$format", 1), '#description' => t('If enabled, Drupal will display some basic HTML help in the long filter tips.'));
1020 $form['filter_html']["filter_html_nofollow_$format"] = array('#type' => 'checkbox', '#title' => t('Spam link deterrent'), '#default_value' => variable_get("filter_html_nofollow_$format", FALSE), '#description' => t('If enabled, Drupal will add rel="nofollow" to all links, as a measure to reduce the effectiveness of spam links. Note: this will also prevent valid links from being followed by search engines, therefore it is likely most effective when enabled for anonymous users.'));
1025 * HTML filter. Provides filtering of input into accepted HTML.
1027 function _filter_html($text, $format) {
1028 if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) {
1029 $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>'), -1, PREG_SPLIT_NO_EMPTY);
1030 $text = filter_xss($text, $allowed_tags);
1033 if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) {
1035 $text = check_plain($text);
1038 if (variable_get("filter_html_nofollow_$format", FALSE)) {
1039 $text = preg_replace('/<a([^>]+)>/i', '<a\\1 rel="nofollow">', $text);
1046 * Convert line breaks into <p> and <br> in an intelligent fashion.
1047 * Based on: http://photomatt.net/scripts/autop
1049 function _filter_autop($text) {
1050 // All block level tags
1051 $block = '(?:table|thead|tfoot|caption|colgroup|tbody|tr|td|th|div|dl|dd|dt|ul|ol|li|pre|select|form|blockquote|address|p|h[1-6])';
1053 // Split at <pre>, <script>, <style> and </pre>, </script>, </style> tags.
1054 // We don't apply any processing to the contents of these tags to avoid messing
1055 // up code. We look for matched pairs and allow basic nesting. For example:
1056 // "processed <pre> ignored <script> ignored </script> ignored </pre> processed"
1057 $chunks = preg_split('@(</?(?:pre|script|style)[^>]*>)@i', $text, -1, PREG_SPLIT_DELIM_CAPTURE);
1058 // Note: PHP ensures the array consists of alternating delimiters and literals
1059 // and begins and ends with a literal (inserting NULL as required).
1063 foreach ($chunks as $i => $chunk) {
1065 // Opening or closing tag?
1066 $open = ($chunk[1] != '/');
1067 list($tag) = split('[ >]', substr($chunk, 2 - $open), 2);
1074 // Only allow a matching tag to close it.
1075 else if (!$open && $ignoretag == $tag) {
1080 else if (!$ignore) {
1081 $chunk = preg_replace('|\n*$|', '', $chunk) ."\n\n"; // just to make things a little easier, pad the end
1082 $chunk = preg_replace('|<br />\s*<br />|', "\n\n", $chunk);
1083 $chunk = preg_replace('!(<'. $block .'[^>]*>)!', "\n$1", $chunk); // Space things out a little
1084 $chunk = preg_replace('!(</'. $block .'>)!', "$1\n\n", $chunk); // Space things out a little
1085 $chunk = preg_replace("/\n\n+/", "\n\n", $chunk); // take care of duplicates
1086 $chunk = preg_replace('/\n?(.+?)(?:\n\s*\n|\z)/s', "<p>$1</p>\n", $chunk); // make paragraphs, including one at the end
1087 $chunk = preg_replace('|<p>\s*?</p>|', '', $chunk); // under certain strange conditions it could create a P of entirely whitespace
1088 $chunk = preg_replace("|<p>(<li.+?)</p>|", "$1", $chunk); // problem with nested lists
1089 $chunk = preg_replace('|<p><blockquote([^>]*)>|i', "<blockquote$1><p>", $chunk);
1090 $chunk = str_replace('</blockquote></p>', '</p></blockquote>', $chunk);
1091 $chunk = preg_replace('!<p>\s*(</?'. $block .'[^>]*>)!', "$1", $chunk);
1092 $chunk = preg_replace('!(</?'. $block .'[^>]*>)\s*</p>!', "$1", $chunk);
1093 $chunk = preg_replace('|(?<!<br />)\s*\n|', "<br />\n", $chunk); // make line breaks
1094 $chunk = preg_replace('!(</?'. $block .'[^>]*>)\s*<br />!', "$1", $chunk);
1095 $chunk = preg_replace('!<br />(\s*</?(?:p|li|div|th|pre|td|ul|ol)>)!', '$1', $chunk);
1096 $chunk = preg_replace('/&([^#])(?![A-Za-z0-9]{1,8};)/', '&$1', $chunk);
1104 * Very permissive XSS/HTML filter for admin-only use.
1106 * Use only for fields where it is impractical to use the
1107 * whole filter system, but where some (mainly inline) mark-up
1108 * is desired (so check_plain() is not acceptable).
1110 * Allows all tags that can be used inside an HTML body, save
1111 * for scripts and styles.
1113 function filter_xss_admin($string) {
1114 return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'object', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
1118 * Filters XSS. Based on kses by Ulf Harnhammar, see
1119 * http://sourceforge.net/projects/kses
1121 * For examples of various XSS attacks, see:
1122 * http://ha.ckers.org/xss.html
1124 * This code does four things:
1125 * - Removes characters and constructs that can trick browsers
1126 * - Makes sure all HTML entities are well-formed
1127 * - Makes sure all HTML tags and attributes are well-formed
1128 * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:)
1131 * The string with raw HTML in it. It will be stripped of everything that can cause
1133 * @param $allowed_tags
1134 * An array of allowed tags.
1136 * The format to use.
1138 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
1139 // Store the input format
1140 _filter_xss_split($allowed_tags, TRUE);
1141 // Remove NUL characters (ignored by some browsers)
1142 $string = str_replace(chr(0), '', $string);
1143 // Remove Netscape 4 JS entities
1144 $string = preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
1146 // Defuse all HTML entities
1147 $string = str_replace('&', '&', $string);
1148 // Change back only well-formed entities in our whitelist
1150 $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
1151 // Decimal numeric entities
1152 $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
1153 // Hexadecimal numeric entities
1154 $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
1156 return preg_replace_callback('%
1158 <[^>]*.(>|$) # a string that starts with a <, up until the > or the end of the string
1161 )%x', '_filter_xss_split', $string);
1165 * Processes an HTML tag.
1168 * An array with various meaning depending on the value of $store.
1169 * If $store is TRUE then the array contains the allowed tags.
1170 * If $store is FALSE then the array has one element, the HTML tag to process.
1172 * Whether to store $m.
1174 * If the element isn't allowed, an empty string. Otherwise, the cleaned up
1175 * version of the HTML element.
1177 function _filter_xss_split($m, $store = FALSE) {
1178 static $allowed_html;
1181 $allowed_html = array_flip($m);
1187 if (substr($string, 0, 1) != '<') {
1188 // We matched a lone ">" character
1192 if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) {
1193 // Seriously malformed
1197 $slash = trim($matches[1]);
1198 $elem = &$matches[2];
1199 $attrlist = &$matches[3];
1201 if (!isset($allowed_html[strtolower($elem)])) {
1202 // Disallowed HTML element
1210 // Is there a closing XHTML slash at the end of the attributes?
1211 // In PHP 5.1.0+ we could count the changes, currently we need a separate match
1212 $xhtml_slash = preg_match('%\s?/\s*$%', $attrlist) ? ' /' : '';
1213 $attrlist = preg_replace('%(\s?)/\s*$%', '\1', $attrlist);
1215 // Clean up attributes
1216 $attr2 = implode(' ', _filter_xss_attributes($attrlist));
1217 $attr2 = preg_replace('/[<>]/', '', $attr2);
1218 $attr2 = strlen($attr2) ? ' '. $attr2 : '';
1220 return "<$elem$attr2$xhtml_slash>";
1224 * Processes a string of HTML attributes.
1227 * Cleaned up version of the HTML attributes.
1229 function _filter_xss_attributes($attr) {
1234 while (strlen($attr) != 0) {
1235 // Was the last operation successful?
1240 // Attribute name, href for instance
1241 if (preg_match('/^([-a-zA-Z]+)/', $attr, $match)) {
1242 $attrname = strtolower($match[1]);
1243 $skip = ($attrname == 'style' || substr($attrname, 0, 2) == 'on');
1244 $working = $mode = 1;
1245 $attr = preg_replace('/^[-a-zA-Z]+/', '', $attr);
1251 // Equals sign or valueless ("selected")
1252 if (preg_match('/^\s*=\s*/', $attr)) {
1253 $working = 1; $mode = 2;
1254 $attr = preg_replace('/^\s*=\s*/', '', $attr);
1258 if (preg_match('/^\s+/', $attr)) {
1259 $working = 1; $mode = 0;
1261 $attrarr[] = $attrname;
1263 $attr = preg_replace('/^\s+/', '', $attr);
1269 // Attribute value, a URL after href= for instance
1270 if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) {
1271 $thisval = filter_xss_bad_protocol($match[1]);
1274 $attrarr[] = "$attrname=\"$thisval\"";
1278 $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);
1282 if (preg_match("/^'([^']*)'(\s+|$)/", $attr, $match)) {
1283 $thisval = filter_xss_bad_protocol($match[1]);
1286 $attrarr[] = "$attrname='$thisval'";;
1288 $working = 1; $mode = 0;
1289 $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);
1293 if (preg_match("%^([^\s\"']+)(\s+|$)%", $attr, $match)) {
1294 $thisval = filter_xss_bad_protocol($match[1]);
1297 $attrarr[] = "$attrname=\"$thisval\"";
1299 $working = 1; $mode = 0;
1300 $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);
1306 if ($working == 0) {
1307 // not well formed, remove and try again
1308 $attr = preg_replace('/
1311 "[^"]*("|$) # - a string that starts with a double quote, up until the next double quote or the end of the string
1313 \'[^\']*(\'|$)| # - a string that starts with a quote, up until the next quote or the end of the string
1315 \S # - a non-whitespace character
1316 )* # any number of the above three
1317 \s* # any number of whitespaces
1323 // the attribute list ends with a valueless attribute like "selected"
1325 $attrarr[] = $attrname;
1331 * Processes an HTML attribute value and ensures it does not contain an URL
1332 * with a disallowed protocol (e.g. javascript:)
1335 * The string with the attribute value.
1337 * Whether to decode entities in the $string. Set to FALSE if the $string
1338 * is in plain text, TRUE otherwise. Defaults to TRUE.
1340 * Cleaned up and HTML-escaped version of $string.
1342 function filter_xss_bad_protocol($string, $decode = TRUE) {
1343 static $allowed_protocols;
1344 if (!isset($allowed_protocols)) {
1345 $allowed_protocols = array_flip(variable_get('filter_allowed_protocols', array('http', 'https', 'ftp', 'news', 'nntp', 'telnet', 'mailto', 'irc', 'ssh', 'sftp', 'webcal')));
1348 // Get the plain text representation of the attribute value (i.e. its meaning)
1350 $string = decode_entities($string);
1352 // Remove soft hyphen
1353 $string = str_replace(chr(194) . chr(173), '', $string);
1358 $colonpos = strpos($string, ':');
1359 if ($colonpos > 0) {
1360 $protocol = substr($string, 0, $colonpos);
1361 if (!isset($allowed_protocols[$protocol])) {
1362 $string = substr($string, $colonpos + 1);
1365 } while ($before != $string);
1366 return check_plain($string);
1370 * @} End of "Standard filters".